After having a look at test results and having a look at vulnerabilities I had to fix in order to gain a better score, I will finally share on this blog post how I fixed everything to get a A+ score.

This score will allow you to have a better security when exchanging keys and information between your server and your clients because it is computed depending on vulnerabilities you are open to.

What are these vulnerabilities?

Here is a list of most known vulnerabilities you have to fix:

CLR / OCSP: Initially, certificated validation was using the CLR method (Certificate Revocation List). Problem with this solution is that the list has grown considerably and now takes a long time to download.

That's why you know have to use the Online Certificate Status Protocol (OCSP) which is really more lighter because only one record is returned and the verification process is delegated to the certification authority.

Logjam - Weak Diffie-Hellman (DH): This is a "man-in-the-middle" attack which allows to downgrade cyptography of TLS alhorithm to 512 bits in order to allow attacker to read and modify data which are transited.

We will be able to fix this vulnerability by giving to our server a special key. We will see this later.

Some ciphers: Some ciphers suite also are compromised so you have to delete them from your web server configuration in order to allow trusted ciphers only.

Please note that OpenSSL will only use the ciphers you can use in your current version so don't hesitate to put a full list.

Heartbleed: This recent vulnerability was published on april 2014 and occured in the OpenSSL cryptography. This is now fixed in recent versions.

I invite your to update your OpenSSL versions. Here are the vulnerable ones:

OpenSSL 1.0.1 to 1.0.1f (included) are vulnerable

OpenSSL 1.0.1g is not vulnerable

OpenSSL 1.0.0 branch is not vulnerable

OpenSSL 0.9.8 branch is not vulnerable

In order to retrieve your OpenSSL version (and to update it if required):

$ openssl version
OpenSSL 1.0.1t 3 May 2016

Next, let's see how to fix these vulnerabilities in our web server configuration!

I am personnally using Nginx but I also give your the Apache configuration in this article.

Virtualhost configuration

Let's start by updating your virtualhost configuration in order to specify it the ssl keys and certificate and also add a new HSTS header to it in order to specify that this website will only be available over HTTPS.

OCSP Protocol

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

Diffie-Hellman (DH) parameters

For this fix, you have to generate a new key first (at least 2048 bits, I personnaly generated a 4096 bits one) that will secure key exchanges. I advise you to run it in a screen because it can be really long: 8 hours in my case: